A CAPTCHA Control for ASP.NET 2

• Download source files - 7.34 KB

Note: A new version of this control is available here. All further updates to the control are posted to the project's page on SourceForge.net.

Introduction

CAPTCHA is short for "completely automated public Turing test to tell computers and humans apart", and is the most popular technique used to prevent computer programs from sending automated requests to Web servers. These can be for meta-searching search engines, doing dictionary attacks in login pages, or sending spam using mail servers. You might have seen CAPTCHA images in the Google register page when you do availability check on too many usernames, or in Yahoo!, PayPal, or other big Web sites.

Sources

The first CAPTCHA image generator I used was written using the CAPTCHA Image article by BrainJar. After that, I read the MSDN HIP challenge article and made many changes to my code. The code used in this control is based on the MSDN HIP article, but some parts are not changed.

How It Works

• Captcha.ascx is the control file. When loaded, it calls the SetCaptcha() method. This method does everything needed, using other classes.
• RandomText class generates cryptographically-strong random texts.
• RNG class generates cryptographically-strong random numbers.
• CaptchaImage class creates the image.
• Encryptor class is used for encryption and decryption.
• Captcha.ashx returns the image.

We will discuss some of them later in this article.

The Control

The main method in the control code is SetCaptcha() which is executed whenever we need to change the picture or load it.

private void SetCaptcha()
{
    // Set image
    string s = RandomText.Generate();

    // Encrypt
    string ens = Encryptor.Encrypt(s, "srgerg$%^bg",
                 Convert.FromBase64String("srfjuoxp"));

    // Save to session
    Session["captcha"] = s.ToLower();

    // Set URL
    imgCaptcha.ImageUrl = "~/Captcha.ashx?w=305&h=92&c=" +
                          ens + "&bc=" + color;
}

This encrypts a random text using an encryption key which is hard-coded in this code. To prevent hard coding, you can store this information in the database and retrieve it when needed. This method also saves text to the session for comparison with user input.

To make the control style match with the page style, there are two properties used:

• Style
• Background color

The Style property sets the control style and the background color sets the background color for the generated image.

Two event handlers handle the Success and Failure events. We use a delegate for these handlers.

public delegate void CaptchaEventHandler();

When the user submits the form, btnSubmit_Click() validates the user input.

protected void btnSubmit_Click(object s, EventArgs e)
{
    if (Session["captcha"] != null && txtCaptcha.Text.ToLower() ==
    Session["captcha"].ToString())
    {
        if (success != null)
        {
            success();
        }
    }
    else
    {
        txtCaptcha.Text = "";
        SetCaptcha();

        if (failure != null)
        {
            failure();
        }
    }
}

RNG Class

The RNG class generates cryptographically-strong random numbers, using the RNGCryptoServiceProvider class.

public static class RNG
{
    private static byte[] randb = new byte[4];
    private static RNGCryptoServiceProvider rand
                   = new RNGCryptoServiceProvider();

    public static int Next()
    {
        rand.GetBytes(randb);
        int value = BitConverter.ToInt32(randb, 0);
        if (value < 0) value = -value;
        return value;
    }
    public static int Next(int max)
    {
        // ...
    }
    public static int Next(int min, int max)
    {
        // ...
    }
}

RandomText Class

To create a cryptographically-strong random text, we use the RNG class to randomly select each character from the array of characters. This is a very useful technique I first saw in the CryptoPasswordGenerator.

public static class RandomText
{
    public static string Generate()
    {
        // Generate random text
        string s = "";
        char[] chars = "abcdefghijklmnopqrstuvw".ToCharArray() +
                       "xyzABCDEFGHIJKLMNOPQRSTUV".ToCharArray() +
                       "WXYZ0123456789".ToCharArray();
        int index;
        int lenght = RNG.Next(4, 6);
        for (int i = 0; i < lenght; i++)
        {
            index = RNG.Next(chars.Length - 1);
            s += chars[index].ToString();
        }
        return s;
    }
}

CaptchaImage Class

This is the heart of our control. It gets the image text, dimensions, and background color, and generates the image.

The main method is GenerateImage() which generates the image using the information we provide.

private void GenerateImage()
{
    // Create a new 32-bit bitmap image.
    Bitmap bitmap = new Bitmap(this.width, this.height,
        PixelFormat.Format32bppArgb);

    // Create a graphics object for drawing.
    Graphics g = Graphics.FromImage(bitmap);
    Rectangle rect = new Rectangle(0, 0, this.width, this.height);
    g.SmoothingMode = SmoothingMode.AntiAlias;

    // Fill background
    using (SolidBrush b = new SolidBrush(bc))
    {
        g.FillRectangle(b, rect);
    }

First, we declare Bitmap and Graphics objects, and a Rectangle whose dimensions are the same as the Bitmap object. Then, using a SolidBrush, we fill the background.

Now, we need to set the font size to fit within the image. The font family is chosen randomly from the fonts family collection.

// Set up the text font.
int emSize = (int)(this.width * 2 / text.Length);
FontFamily family = fonts[RNG.Next(fonts.Length - 1)];
Font font = new Font(family, emSize);

// Adjust the font size until
// the text fits within the image.
SizeF measured = new SizeF(0, 0);
SizeF workingSize = new SizeF(this.width, this.height);

while (emSize > 2 &&
      (measured = g.MeasureString(text, font)).Width
       > workingSize.Width || measured.Height
       > workingSize.Height)
{
    font.Dispose();
    font = new Font(family, emSize -= 2);
}

We calculate a size for the font by multiplying the image width by 2 and then dividing it by the text length. It works well in most cases; for example, when the text length is 4 and the width is 8 pixels, the font size would be 4. But if the text length is 1, the font size would be 16. Also, when the image height is too short, the text will not fit within the image. When the calculated size is less than 2, we can be sure that it fits within the image except when the image height is very short, which we don't pay attention to. But when it is bigger than 2, we must make sure that the text fits within the image. We do that by getting the width and height the text needs for the selected font and size. If the width or height doesn't fit, then we reduce the size and check again and again till it fits.

The next step would be adding the text. It is done using a GraphicsPath object.

GraphicsPath path = new GraphicsPath();
path.AddString(this.text, font.FontFamily,
        (int)font.Style, font.Size, rect, format);

The most important part is colorizing and distorting the text. We set the text color using RGB codes, each one using a random value between 0 and 255. A random color is then generated successfully. Now, we must check if the color is visible within the background color. It's done by calculating the difference between the text color R channel and the background color R channel. If it is less than 20, we regenerate the R channel value.

// Set font color to a color that is visible within background color
int bcR = Convert.ToInt32(bc.R);
int red = random.Next(256), green = random.Next(256), blue =
    random.Next(256);
// This prevents font color from being near the bg color
while (red >= bcR && red - 20 < bcR ||
    red < bcR && red + 20 > bcR)
{
    red = random.Next(0, 255);
}
SolidBrush sBrush = new SolidBrush(Color.FromArgb(red, green, blue));
g.FillPath(sBrush, path);

Lastly, we distort the image by changing the pixel colors. For each pixel, we select a random picture from the original picture (the Bitmap object which we don't change) and set a random pixel color for it. Since distort is random, we see different distortions.

// Iterate over every pixel
double distort = random.Next(5, 20) * (random.Next(10) == 1 ? 1 : -1);

// Copy the image so that we're always using the original for
// source color
using (Bitmap copy = (Bitmap)bitmap.Clone())
{
    for (int y = 0; y < height; y++)
    {
        for (int x = 0; x < width; x++)
        {
            // Adds a simple wave

            int newX =
              (int)(x + (distort * Math.Sin(Math.PI * y / 84.0)));
            int newY =
              (int)(y + (distort * Math.Cos(Math.PI * x / 44.0)));
            if (newX < 0 || newX >= width)
                newX = 0;
            if (newY < 0 || newY >= height)
                newY = 0;
            bitmap.SetPixel(x, y,
            copy.GetPixel(newX, newY));
        }
    }
}

Captcha.ashx

This HTTP handler gets the information needed to create a CAPTCHA image, and returns one. Note that this handler receives the encrypted text and has the key to decrypt it.

public class Captcha : IHttpHandler
{
    public void ProcessRequest (HttpContext context) {
        context.Response.ContentType = "image/jpeg";
        context.Response.Cache.SetCacheability(HttpCacheability.NoCache);
        context.Response.BufferOutput = false;

        // Get text
        string s = "No Text";
        if (context.Request.QueryString["c"] != null &&
            context.Request.QueryString["c"] != "")
        {
            string enc = context.Request.QueryString["c"].ToString();

            // space was replaced with + to prevent error
            enc = enc.Replace(" ", "+");
            try
            {
                s = Encryptor.Decrypt(enc, "srgerg$%^bg",
            Convert.FromBase64String("srfjuoxp"));
            }
            catch { }
        }
        // Get dimensions
        int w = 120;
        int h = 50;
        // Width
        if (context.Request.QueryString["w"] != null &&

            context.Request.QueryString["w"] != "")
        {
            try
            {
                w = Convert.ToInt32(context.Request.QueryString["w"]);
            }
            catch { }
        }
        // Height
        if (context.Request.QueryString["h"] != null &&
            context.Request.QueryString["h"] != "")
        {
            try
            {
                h = Convert.ToInt32(context.Request.QueryString["h"]);
            }
            catch { }
        }
        // Color
        Color Bc = Color.White;
        if (context.Request.QueryString["bc"] != null &&

            context.Request.QueryString["bc"] != "")
        {
            try
            {
                string bc = context.Request.QueryString["bc"].
            ToString().Insert(0, "#");
                Bc = ColorTranslator.FromHtml(bc);
            }
            catch { }
        }
        // Generate image
        CaptchaImage ci = new CaptchaImage(s, Bc, w, h);

        // Return
        ci.Image.Save(context.Response.OutputStream, ImageFormat.Jpeg);
        // Dispose
        ci.Dispose();
    }

    public bool IsReusable
    {
        get
        {
            return true;
        }
    }
}

There are only two points to be noted about this class:

1. Since in a URL, '+' means space, we replace a space with '+' (for encrypted text).
2. Using # in the URL causes problems. We don't send # with the color value. For example, when color is #ffffff, we send ffffff and then add # in the handler.

Summary

When the control loads, it executes the SetCaptcha() method. The RandomText class generates a random text, and we save the text to the Session object and encrypt it. This method then generates the image URL using the dimensions, the encrypted text, and the background color information.

You may see an example of using this control in the source code.

You must Sign In to use this message board.

FAQ    Noise Tolerance Very HighHighMediumLowVery Low   Layout Expand Posts & RepliesThread ViewNo JavascriptNo JS + Preview   Per page 102550

Msgs 1 to 25 of 62 (Total in Forum: 62) (Refresh) FirstPrevNext

Nice Simple Captcha Implementation Member 4632070 4:34 21 Oct '08   This is very nice and simple implementation of captcha. Very easy to understand. thanks a lot for the article. Nandu Sign In·View Thread·PermaLink Newbie Tutorial [modified] princerc 9:45 2 Sep '08   Can you please provide a correct installation guide for this control to use it on a standard asp.net page. I am have having no lucky installing any of the versions listed. A simple step by step guide would be suffice - Including customising the control i.e play button image, size of control etc Aaron modified on Tuesday, September 2, 2008 5:22 PM Sign In·View Thread·PermaLink 1.00/5 (1 vote) Adding Antialiasing Waleed Eissa 7:34 16 Jul '08   Great article! one thing though, I see that the generated captcha is quite jagged, why not use TextRenderingHint.AntiAlias? Waleed Eissa Software Developer Sydney modified on Wednesday, July 16, 2008 1:29 PM Sign In·View Thread·PermaLink Re: Adding Antialiasing Waleed Eissa 8:29 16 Jul '08   Well, after adding my last post I did some testing using TextRenderingHint.AntiAlias but it didn't seem to make much difference, any idea how we can make the captcha look more anti-aliased? Waleed Eissa Software Developer Sydney Sign In·View Thread·PermaLink Handler while using IIS problem zirosman 4:38 27 Apr '08   Hello, Thanks for this control ! Hope someone can help me: I have a TestCaptcha website. when I'm usingthe built in VS Development webserver all the handlers working ok. [I see the images for the Captcha Image and the accsibilty audio] after I moved to an IIS webserver [not the built in] the images not showing hope for any help. TIA Sign In·View Thread·PermaLink Re: Handler while using IIS problem zirosman 20:14 27 Apr '08   Solved with help of https://sourceforge.net/forum/forum.php?thread_id=2007283&forum_id=796294[^] Sign In·View Thread·PermaLink Re: Handler while using IIS problem Peter100001 8:52 9 Mar '09   In IIS7.0, you need to add the Manage handler in "Handler mappings" for recaptcha. For the path "CaptchaImage.aspx" put the handler as "WebControlCaptcha.CaptchaImageHandler" and give any name you like. Press "OK" and you are done. Got this from another post elswhere Peter Sign In·View Thread·PermaLink Nice implementation of this captcha CoolVini 5:24 6 Mar '08   Nice idea, I get your control, is the only real working as captcha, and I mean the only that works in a real multi web, multi user and multi thread enviroment, all the rest just not work. I make your control, and with code from other captcha I made a final control that is super. In the time of developing, I like to tell you that is better to save the capta charachters inside the page under a hidden label (asp:label) and not under session because if some one open the same page with the captcha 2 times this is not working (because they share the same session). Also if you place the captcha in more than one page, or more than one times the session is not working. Thank you for this code. Aris Sign In·View Thread·PermaLink 1.00/5 (1 vote) Re: Nice implementation of this captcha Farshid Hosseini 23:37 13 Mar '08   Dear Aris, Thank you for reading my article. You are right about the session. Even if someone opens two different pages with the control is both of them, he or she will see the same text in both pages. But since each text is removed from session after one use, this does not make the control security vulnerable. This is a bug anyway. A new version of this control is available at http://sourceforge.net/projects/captchadotnet/. Session is not used in the new version. This is an open-source project (source code released under LGPL). So you are kindly invited to contribute. All the best, Farshid Sign In·View Thread·PermaLink Re: Nice implementation of this captcha CoolVini 1:52 14 Mar '08   I get the code but you have not include the project and one web for test. Can you please do so to have the same code for tests. here is a page that I have place your control with modifications [^][^] the "try a diferent image" not working correct, but I do not have the time to fix it. And in general I have no time right now. The last captcha that I use right now takes me a week developing and testing, that is a lot if you think how many captcha is out there all ready. Sign In·View Thread·PermaLink Re: Nice implementation of this captcha Farshid Hosseini 2:49 14 Mar '08   Do you mean I should place a demo project there? Sign In·View Thread·PermaLink Re: Nice implementation of this captcha CoolVini 3:03 14 Mar '08   No, I download the code from the open source and there is no project file, nether a web test page for test. I say that maybe is better to place on the open source all the files, and the project files that you use to compile the final dll, and make your tests. Now this is just an ask for it, if you don't do it I must make one. Sign In·View Thread·PermaLink Re: Nice implementation of this captcha Farshid Hosseini 4:35 14 Mar '08   If you mean Visual Studio project files, I cannot upload them as part of source code as not everyone uses VS. I mean one may use another IDE. You can create a new class library project in VS and place the files in it. Also, you can compile the source code using command line C# compiler as I have. Sign In·View Thread·PermaLink Re: Nice implementation of this captcha CoolVini 4:50 14 Mar '08   ok, I will do that. Sorry for all this question, I never have work with open source in the past. Sign In·View Thread·PermaLink Re: Nice implementation of this captcha Farshid Hosseini 5:12 14 Mar '08   You are welcome. There several forums (https://sourceforge.net/tracker/?group_id=220909) and three trackers (https://sourceforge.net/tracker/?group_id=220909) there at project's page on sf.net. Feel free to ask all your questions there. Best regards, Farshid Sign In·View Thread·PermaLink Questions and comments jmcunningham 5:31 27 Nov '07   Hi - Thank you for making this available. As a newbie to ASP.NET it's great to find something that works first time for me. Two questions - 1) My background colour never changes from white unless I code it in the call to be something other than #FFFFFF. Any idea why ? (I'm using Visual Web Developer Express) 2) Will you be making a version that can be added to an existing Visual Basic web site (or is my lack of experience showing) ? And a comment - My ASP.NET enabled web hosting service doesn't allow you to load any custom .dll files, so your solution is great (and I can't use something like the reCAPTCHA service. Regards, Mike Sign In·View Thread·PermaLink Re: Questions and comments Farshid Hosseini 23:13 13 Mar '08   Dear Mike, Thank you for reading my article. Please accept my sincere apologizes for this really delayed response. A new version of this control is available at http://sourceforge.net/projects/captchadotnet/ . This should allow you to change background color easily. Also, you can use both controls is any .NET website(VB, C#, J# etc.) As far as I know, nearly all ASP.NET hosting providers allow using custom libraries in your website. Although you may not add them to GAC(Global Assembly Cache), but you can put dlls in bin folder of each website and reference them in your code. All the best, Farshid Sign In·View Thread·PermaLink Does anyone have this in VB SirNathaniel 2:38 1 Aug '07   Hi, Great control and dead easy to use, but i wondered if you (or anyone else) have this as vb.net instead? Many Thanks, John. Sign In·View Thread·PermaLink 1.00/5 (1 vote) Don’t put too much faith in CAPTCHAs in general JoelMMCC 12:37 26 Jun '07   An attacker who has his own popular web site can easily blow right past them. I won’t say how, as I don’t want to give anyone ideas, but this is a well-known attack and it works very well. It uses a real human’s brain and sensory processing to do the work. Sign In·View Thread·PermaLink 1.00/5 (1 vote) Re: Don’t put too much faith in CAPTCHAs in general Farshid Hosseini 3:58 27 Jun '07   Please do say. Of course, the solution is not hiding the problem. Sign In·View Thread·PermaLink random.Next(10) --> random.Next(2) il' 5:03 7 Mar '07   tip // Iterate over every pixel double distort = random.Next(5, 20) * (random.Next(10) == 1 ? 1 : -1); it should be as ... random.Next(2) ... Sign In·View Thread·PermaLink 5.00/5 (1 vote) Re: random.Next(10) --> random.Next(2) Farshid Hosseini 5:09 9 Mar '07   Hi Il. Thanks for the tip. Although this decreases chance of getting -1, but it is unlikely to result in any noticeable change in image. Changed in new version. Thank you for reading my article. Regards, Farshid Sign In·View Thread·PermaLink New Version Ready Farshid Hosseini 6:56 18 Feb '07   Hi everyone. I know that I had promised to send a new version of this control several months ago, but I didn't have opportunity to do so. Please accept my sincere apologizes. I thought that now that I have been so late, let's publish something as bug free as possible. Therefore, I have provided the URL for compiled control in this message. Please send me all the bugs you find, as well as everything you think I should add or modify. Since my source code may be a little hard to understand at the moment, I have not included it. But I will upload the source code as soon as I add necessary comments etc. CAPTCHA.NET 2, ver. 2 : http://files.farshidh.com/Captcha.NET2/Captcha.NET2.zip Cheers, Farshid Sign In·View Thread·PermaLink Re: New Version Ready mityak 5:25 22 Jun '07   The URL for CAPTCHA.NET 2, ver. 2 dosn't work http://files.farshidh.com/Captcha.NET2/Captcha.NET2.zip Sign In·View Thread·PermaLink Re: New Version Ready Jas T 0:23 28 Jun '07   Doesn't work for me either Sign In·View Thread·PermaLink

Last Visit: 21:46 21 Nov '09     Last Update: 21:46 21 Nov '09 123 Next »